-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Response Team Boosts Open Source Security

,----[ Quote ]
| All in all, oCERT sounds like a worthwhile project that will provide a
| valuable service to the community of open source vendors and customers. Let's
| hope it wins enough support to sustain itself for the long run. (That name
| might be a problem, for starters -- CERT is a trademark of Carnegie Mellon
| University.)
`----

http://www.pcworld.com/businesscente..._security.html

Pondering when your next break-in will happen

,----[ Quote ]
| I mean how much trust can you have in say, Microsoft, which has, nine
| count 'em nine "high risk" vulnerabilities. Three of those have been on the
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| list for more than a year, and one is closing in on its second birthday.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^|
| In all fairness, Microsoft isn't the only bad egg. Computer Associates, IBM,
| Novell and HP also make multiple appearances on the list.
|
| Still, it does make me wonder. How long exactly can some of those ancient
| security holes go unfixed before someone else discovers them? Say someone who
| will immediately put his discovery to use by quietly infecting a few million
| Windows PCs?
`----

http://blogs.computerworld.com/ponde...in_will_happen

Other flaws they just sweep under the rug too. Not anymore:

Hacker marketplace to help build 0day appliance

,----[ Quote ]
| WabiSabiLabi, the company best known for building an online marketplace for
| security flaws, is getting into the hardware business.
`----

http://www.linuxworld.com.au/index.p...887698&rid=-50


Recent:

What spooks Microsoft's chief security advisor

,----[ Quote ]
| Speaking at the Boston SecureWorld conference Wednesday, the 19-year
| Microsoft veteran whose job includes protecting enterprises, developers and
| Microsoft itself said there actually is plenty of good news on the security
| front. For example, his outfit scans a half million devices (with customer
| permission) per month and in the first half of last year saw the first
| period-over-period decline in new vulnerabilities disclosed across Microsoft
| and non-Microsoft software since 2003. * * *
|
| However, 3,400 new vulnerabilities were discovered and “it’s still a big
| number,” Arsenault says. “So if vulnerability rates are down, where are
| they?” *
`----

http://www.networkworld.com/news/200...-concerns.html


With Vista breached, Linux unbeaten in hacking contest

,----[ Quote ]
| The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on
| the last day of the contest; but it was Linux, running on a Sony Vaio, that
| remained undefeated as conference organizers ended a three-way computer
| hacking challenge Friday at the CanSecWest conference. *
`----

http://www.linuxworld.com/news/2008/...rss-linux-news


Bots rule in cyberspace

,----[ Quote ]
| USA TODAY REPORTS that on an average day, 40 per cent of the 800 million
| computers connected to the Internet are bots used to send out spam, viruses
| and to mine for sensitive personal data.
`----

http://www.theinquirer.net/gb/inquir...ule-cyberspace
http://www.usatoday.com/tech/news/co...-botnets_N.htm


Vista SP1 will contain undocumented fixes

,----[ Quote ]
| Interesting email in today mailbag: *“Will SP1 contain undisclosed or
| undocumented security fixes?”
|
| For some people, counting the number of security flaws that one OS has
| compared to another is important because it offers a metric upon which to *
| determine which OS is the most secure (personally, I feel that it’s a bogus
| metric, but I’ll let it slide for now). *However, many claim that Microsoft
| stacks the deck in its favor by not disclosing a full list of vulnerabilities
| that have been patched by omitting to include those discovered and patched
| in-house. * * *
`----

http://blogs.zdnet.com/hardware/?p=1225


Related:

Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update. * * *
`----

http://blog.mozilla.com/security/200...osoft-metrics/


Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions. *
`----

http://blogs.zdnet.com/security/?p=316


Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?
`----

http://blogs.zdnet.com/microsoft/?p=527


Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
|
| [...]
|
| The point: Don't count on security flaw counting. The real flaw is
| the counting.
`----

http://www.microsoft-watch.com/conte...129TX1K0000535
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIIWdBU4xAY3RXLo4RApXyAJ0fqRxacfdAfQy44gS7Dg 7+J0rUpgCfU5ad
RPKR023QD65sj7aFwWcZ2eY=
=mb2I
-----END PGP SIGNATURE-----